Marketplace Privacy Policy
Updated
# Privacy Policy
**Last updated:** 27/05/2026
**Effective date:** 27/05/2026
## 1. Introduction
Weldon Web LTD ("we", "us", "our") respects your privacy and is
committed to protecting your personal data. This Privacy Policy explains
how we collect, use, store, share, and protect information when you use
our software products, services, websites, and offers listed on Microsoft
Azure Marketplace and Microsoft AppSource (collectively, the "Services").
By using our Services, you agree to the practices described in this policy.
If you do not agree, please do not use the Services.
## 2. Who we are
Weldon Web LTD is a company registered in England and Wales
under company number 10988760, with its registered office at:
[REGISTERED ADDRESS]
For data protection purposes, we act as a **data controller** for personal
data we collect directly (such as account information, billing details,
and support correspondence), and as a **data processor** for personal
data you process through our Services as part of operating the software.
## 3. Information we collect
We collect the following categories of information:
### 3.1 Information you provide directly
- Account registration details (name, email, company, job title)
- Billing and payment information (handled by Microsoft for Marketplace
transactions; we do not store your payment card details)
- Support requests and correspondence
- Survey responses and feedback
### 3.2 Information collected automatically
- Service usage telemetry (feature usage, performance metrics, error logs)
- Technical data (IP address, browser type, operating system, device
identifiers, timezone)
- Authentication metadata (sign-in timestamps, Microsoft Entra ID tenant
identifiers)
### 3.3 Information processed on your behalf
When you operate our Services within your own Azure tenant (e.g. as a
Managed Application), your application data, customer data, and any
personal data flowing through the Services remain under your control as
the data controller. We process this data solely on your instructions
as a data processor, in accordance with the Microsoft Product Terms and
any Data Processing Addendum (DPA) executed between us.
### 3.4 Information we do not collect
- We do not knowingly collect personal data from children under 16
- We do not collect special category data (health, biometric, racial or
ethnic origin, political opinions, religious beliefs) unless you
explicitly choose to process such data through the Services
- We do not sell personal data to third parties under any circumstances
## 4. Why we collect this information (lawful basis)
We process personal data on the following lawful bases under GDPR and
equivalent legislation:
- **Contract performance** — to provide the Services you have purchased
- **Legitimate interests** — to improve our products, prevent fraud,
maintain security, and operate our business
- **Legal obligation** — to comply with tax, accounting, and regulatory
requirements
- **Consent** — for marketing communications, where required by law
- **Vital interests** — in rare emergency situations involving health or
safety
For California residents, this corresponds to the business and commercial
purposes described under the CCPA/CPRA.
## 5. How we use your information
We use collected information to:
- Deliver, maintain, and improve the Services
- Process transactions and provide customer support
- Communicate with you about your account, service updates, and
security notifications
- Detect, prevent, and respond to security incidents and abuse
- Comply with legal obligations and enforce our terms
- Conduct analytics to understand product usage and improve user
experience
- Send marketing communications, where you have opted in and have the
right to opt out at any time
We do not use personal data for automated decision-making or profiling
that produces legal or similarly significant effects.
## 6. How we share your information
We share information only as necessary and only with parties bound by
appropriate confidentiality and data protection obligations:
### 6.1 Microsoft
As a Marketplace publisher, we receive limited transaction information
from Microsoft (customer organisation name, Azure tenant ID, plan
purchased, billing geography). This is governed by the Microsoft
Publisher Agreement.
### 6.2 Subprocessors
We engage the following categories of subprocessors:
- Cloud infrastructure providers (Microsoft Azure, hosting our Services)
- Customer support and ticketing platforms
- Analytics and product telemetry providers
- Email and communication platforms
- Payment and billing platforms (Microsoft handles Marketplace payments)
A current list of subprocessors is available on request at
privacy@weldonweb.co.uk.
### 6.3 Legal disclosure
We may disclose information when required by law, court order, or
governmental request, or where necessary to protect our rights, safety,
or property, or that of our users or the public.
### 6.4 Business transfers
If we are involved in a merger, acquisition, or sale of assets, your
information may be transferred. We will notify you before your data
becomes subject to a different privacy policy.
## 7. International data transfers
We may transfer personal data outside your country of residence,
including to the United Kingdom, the European Economic Area, the United
States, and other countries where our subprocessors operate.
For transfers from the EEA, UK, or Switzerland, we rely on:
- **Standard Contractual Clauses** (SCCs) approved by the European
Commission and the UK Information Commissioner's Office
- **Adequacy decisions** where they exist
- **UK International Data Transfer Agreement** (IDTA) where applicable
We do not transfer personal data to jurisdictions that lack adequate
safeguards.
## 8. Data retention
We retain personal data only as long as necessary for the purposes
described in this policy:
- **Account data** — for the duration of your subscription plus 7 years
after termination, for legal and tax purposes
- **Telemetry and logs** — typically 90 days, except security logs
which are retained for 12 months
- **Support correspondence** — 3 years after case closure
- **Marketing data** — until you withdraw consent
- **Audit logs (where required for compliance)** — per the retention
configured in your deployment, typically 1–7 years
Customer data processed through Managed Applications deployed to your
own Azure tenant is retained per your configuration; we do not control
its retention.
## 9. Your rights
Depending on your location, you may have the following rights under
GDPR, UK GDPR, CCPA/CPRA, and equivalent legislation:
- **Access** — request a copy of personal data we hold about you
- **Rectification** — correct inaccurate or incomplete data
- **Erasure** — request deletion ("right to be forgotten"), subject to
legal retention requirements
- **Restriction** — limit how we process your data
- **Portability** — receive your data in a structured, machine-readable
format
- **Objection** — object to processing based on legitimate interests
- **Withdraw consent** — where processing is based on consent
- **Non-discrimination** (California) — exercise rights without
retaliation
- **Lodge a complaint** with a supervisory authority
To exercise any of these rights, contact us at privacy@weldonweb.co.uk. We
respond within 30 days (or one month for GDPR requests), and may
require identity verification before fulfilling requests.
## 10. Security
We implement appropriate technical and organisational measures to
protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Identity and access management with least-privilege principles
- Multi-factor authentication for administrative access
- Regular security assessments and penetration testing
- Incident response procedures with notification commitments
- Employee security awareness training
- Background checks for personnel with access to customer data
- Compliance with industry standards [SOC 2 Type II / ISO 27001 /
HIPAA / OTHER — list only those you actually hold or remove this line]
No system is completely secure. In the event of a personal data breach
affecting your information, we will notify you and the relevant
supervisory authority within 72 hours where required by law.
## 11. Cookies and tracking
Our public websites use cookies and similar technologies for:
- **Strictly necessary** — site functionality, authentication
- **Analytics** — anonymised usage statistics
- **Preferences** — remembering your settings
You can manage cookie preferences through your browser settings or our
cookie banner. We do not use advertising or tracking cookies for
behavioural advertising.
Our deployed software products generally do not use cookies, as they
operate as backend services within your Azure tenant.
## 12. Children's privacy
Our Services are not directed at children under 16. We do not knowingly
collect personal data from children. If you believe a child has
provided us with personal data, contact us and we will delete it.
## 13. Changes to this policy
We may update this policy from time to time. Material changes will be
communicated by:
- Posting the updated policy at this URL with a new "Last updated" date
- Emailing registered users for significant changes
- Where required by law, obtaining renewed consent
Continued use of the Services after changes constitutes acceptance.
## 14. Region-specific provisions
### 14.1 European Economic Area, United Kingdom, Switzerland
You have rights under the GDPR (Regulation 2016/679), UK GDPR, and the
Swiss Federal Act on Data Protection. Our EU/UK representative for
data protection matters is Jack Weldon, [REPRESENTATIVE ADDRESS].
You have the right to lodge a complaint with:
- **UK:** Information Commissioner's Office (ico.org.uk)
- **EU:** Your national data protection authority
- **Switzerland:** Federal Data Protection and Information Commissioner
### 14.2 California
California residents have rights under the CCPA/CPRA including the
right to know, delete, correct, opt out of "sale" or "sharing" (we do
neither), and limit use of sensitive personal information. We do not
sell or share personal information as defined under California law.
### 14.3 Other jurisdictions
We comply with applicable data protection laws in jurisdictions where
we operate, including Brazil (LGPD), Canada (PIPEDA), Australia
(Privacy Act 1988), and Japan (APPI).
## 15. Data Processing Addendum
Enterprise customers requiring a signed Data Processing Addendum (DPA)
for GDPR Article 28 compliance can request one at privacy@weldonweb.co.uk. Our
standard DPA incorporates the EU Standard Contractual Clauses and UK
International Data Transfer Agreement.
## 16. Contact us
For privacy questions, requests, or complaints:
**Weldon Web LTD**
**Attn:** Data Protection Officer
**Email:** privacy@weldonweb.co.uk
**Postal address:** [REGISTERED ADDRESS]
For EU/UK data subjects, you may also contact our representative at
jack@weldonweb.co.uk
For security incidents, contact security@weldonweb.co.uk.
---
This policy is published at https://weldonweb.co.uk/privacy-marketplace and is the canonical version.
Translations may be provided for convenience; in case of conflict, the
English version prevails.
